• InPhySec

Is Anti-virus dead?

Last Century Anti Virus (AV) was designed last century to deal with last century malware. It is fair to say times have changed. Significantly.

History Malware used to be released slowly and with a reasonably consistent signature. This was perfect for signature based detection and led to the success of anti-virus as we know it. However, malware is now released rapidly - many, many new variants are released daily and each with a totally unique signature.

Problem The bad guys have toolkits that allow them to develop a virus that is unique to each victim - for example you and I can each be attacked with a unique virus (by signature) that has identical malicious capabilities, such as stealing banking passwords or to hold our files to ransom.

Unique In addition to the easy development of unique viruses, the bad guys now make extensive use of legitimate tools on your computer. Depending on the commentator, it is estimated that 40%-60% of all attacks are malware free - i.e. they do not use a virus or malware of any kind. A signature based technology has no ability to defend against this type of attack.

Connectivity To further compound this issue is the ubiquitous use of the Internet. There are not many people, organisations or places in the world that are not now interconnected by the Internet. And at very high speed. This provides the perfect breeding ground for quickly developed and deployed disposable malware. It is trivial for a criminal to launch a campaign against a victim that uses many variations of their malware and because of the interconnectivity, the criminal can launch a many attacks at the same time. It then becomes a numbers game. Simple statistical analysis will demonstrate that some attacks are going to be successful, in part due to many people steadfastly holding onto outdated and inadequate security tools.

AV Failure WannaCry is the poster child for security tool failure. Some may applaud the AV vendors for developing a signature 48 hours after the outbreak. However, the tens of thousands who were affected are unlikely to be among those applauding.

Solution There is a piece of the story that seems to have gone largely untold. A small group of innovative companies utilising a new type of technology successfully defended against WannaCry and continue to successfully defend against subsequent ransom and other attacks. These technologies are not based on signature detection. They assess behaviours. To use a ransom example, the idea that an unknown piece of software goes about systematically encrypting files is never good. Therefore, it is prevented. A signature is not needed to assess this activity is undesirable. The behaviour gives all of the indicators that are needed.

Technology Our technology partner, CrowdStrike, is an acknowledged leader in this space. CrowdStrike has built a tremendous sensor network and developed a clear baseline of normalised behaviour. Therefore, its detection and prevention capabilities offer extremely high fidelity. To describe this technology as an anti-virus replacement is to undersell its capabilities. But, if nothing else, you will see a security uplift by just using it in this way.

This Century If your Anti-Virus subscription is coming for renewal, please contact us for a no obligation quote and potentially trial of a technology that will help defend you and your organisation against this century's threats.


0800 463 673 (NZ)

+64 27 554 9243 (Aus, UK)

©2020 by InPhySec.